CVE-2025-58361
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| promptcraft | promptcraft-forge-studio | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical cross-site scripting (XSS) issue in Promptcraft Forge Studio caused by an incomplete URL scheme validation. The sanitizer function intended to block dangerous URL schemes only removes certain patterns like 'javascript:', but fails to block 'data:' URLs. Attackers can exploit this by injecting malicious SVG content with embedded scripts via 'data:' URLs. When these URLs are used in HTML attributes like href or src, the embedded script executes, allowing arbitrary JavaScript execution within the application's origin. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to arbitrary JavaScript execution in the context of the vulnerable application. This can result in theft of user tokens, unauthorized actions performed on behalf of the user, and other malicious activities. The attack requires user interaction, such as clicking or rendering a crafted URL. The impact includes high confidentiality and integrity risks, but no impact on availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for usage of the vulnerable sanitizer function in the file src/utils/validation.ts and checking if user-controlled URLs are passed through it without proper scheme validation. You can also scan your codebase for occurrences of URLs containing 'data:' schemes used in href or src attributes. For example, you can use the following commands to find potentially vulnerable code: 1. Search for usage of the sanitizer function or validation.ts file: grep -r 'sanitizeUrl' ./src/utils/ 2. Search for occurrences of 'data:' URLs in the codebase: grep -r 'data:image/svg+xml' ./ 3. Search for href or src attributes that might use user input: grep -rE '(href|src)="[^"]*"' ./ Additionally, monitoring network traffic for suspicious URLs containing 'data:' schemes or SVG content with embedded scripts can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the current URL sanitizer with a strict allow-list approach that only permits safe URL schemes such as 'http:' and 'https:'. Specifically, implement a sanitizer function similar to the recommended one that uses the URL API to validate schemes and rejects all others including 'data:', 'javascript:', and 'vbscript:'. Avoid relying on regex for scheme validation. Additionally, avoid passing untrusted strings to functions like dangerouslySetInnerHTML, and prefer using relative URLs or explicit allow-lists. Since no patched versions are available, applying these code changes is critical to prevent exploitation. [1]